
Congressional 
Research Service 

Informing the legislative debate since 1914 



Privacy Protection for 
Customer Financial Information 



M. Maureen Murphy 

Legislative Attorney 

July 14, 2014 



Congressional Research Service 

7-5700 

www.crs.gov 

RS20185 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



Privacy Protection for Customer Financial Information 



Summary 

One of the functions transferred to the Consumer Financial Protection Bureau (CFPB) under P.L. 

1 11-203, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), is 
authority to issue regulations and take enforcement actions under the two major federal statutes 
that specify conditions under which customer financial information may be shared by financial 
institutions: Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA, PL. 106-102) and the Fair 
Credit Reporting Act (FCRA). Possible topics for congressional oversight in the 113 th Congress 
include (1) the transition of power from the financial institution prudential regulators and the 
Federal Trade Commission to the CFPB; (2) CFPB’s interaction with other federal regulators and 
coordination with state enforcement efforts; and (3) the CFPB’s success at issuing rules that 
adequately protect consumers without unreasonably increasing the regulatory burden on financial 
institutions. 

GLBA prohibits financial institutions from sharing nonpublic personally identifiable customer 
information with non-affiliated third parties without providing customers an opportunity to opt 
out and mandates various privacy policy notices. It requires financial institutions to safeguard the 
security and confidentiality of customer information. FCRA regulates the credit reporting industry 
by prescribing standards that address information collected by businesses that provide data used 
to determine eligibility of consumers for credit, insurance, or employment and limits purposes for 
which such information may be disseminated. One of its provisions, which became permanent 
with the enactment of P.L. 108-159, permits affiliated companies to share non-public personal 
information with one another provided the customer does not choose to opt out. The creation of 
CFPB alters the regulatory landscape for these laws. It has primary enforcement authority over 
non-depository institutions (subject to certain exceptions) and over depository institutions with 
more than $10 billion in assets. For depository institutions with assets of $10 billion or less, the 
CFPB’s rules apply but enforcement authority remains with the banking regulators, subject to 
certain prerogatives of the CFPB. 

In the first session of the 1 13 th Congress, the House passed H.R. 749, which would eliminate the 
GLBA requirement for an annual privacy notice if the financial institution has not changed its 
policies and practice with respect to sharing nonpublic personal information since its last 
disclosure. A similar bill, S. 635, would require that any financial institution eliminating its 
annual privacy notice must provide electronic access to its privacy policies. Several bills that 
require data breach notifications, H.R. 3990, S. 1 193, S. 1897, and S. 1995, provide exemptions 
for financial institutions covered by the GLBA privacy provisions. 

For further information, see CRS Report R41338, The Dodd-Frank Wall Street Reform and 
Consumer Protection Act: Title X, The Consumer Financial Protection Bureau, by David H. 
Carpenter; and Fair Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee. 



Congressional Research Service 



Privacy Protection for Customer Financial Information 



Contents 

Background 1 

Federal Laws Governing Consumer Financial Information Field by Financial Companies 1 

Gramm-Leach-Bliley’s Privacy Provisions 2 

Public and Industry Reaction 3 

The European Union Data Directive 4 

The Role of the CFPB and the 1 13 th Congress 5 

Legislation in the 1 13 th Congress 6 

Contacts 

Author Contact Information 6 



Congressional Research Service 



Privacy Protection for Customer Financial Information 



Background 

With modem technology’s ability to gather and retain data, financial services businesses have 
increasingly found ways to take advantage of their large reservoirs of customer information. Not 
only can they enhance customer service by tailoring services and communications to customer 
preferences, but they can benefit from sharing that information with affiliated companies and 
others willing to pay for customer lists or targeted marketing compilations. Although some 
consumers are pleased with the wider access to information about available services that 
information sharing among financial services providers offers, others have raised privacy 
concerns, particularly with respect to secondary usage. 

The United States has no general law of financial privacy. The U.S. Constitution, itself, has been 
held to provide no protection against governmental access to financial information turned over to 
third parties. United States v. Miller , 425 U.S. 435 (1976). This means that although the Fourth 
Amendment to the U.S. Constitution requires a search warrant for a law enforcement agent to 
obtain a person’s own copies of financial records, it does not protect the same records when they 
are held by financial institutions. State constitutions and laws may provide greater protection. At 
the federal level, the Right to Financial Privacy Act, 12 U.S.C. Sections 3401-3422, provides a 
measure of privacy protection by setting procedures for federal government access to customer 
financial records held by financial institutions. 



Federal Laws Governing Consumer Financial 
Information Held by Financial Companies 

There is no general federal regime covering how non-public personal information held in the 
private sector may be disclosed or must be secured. The major law which deals with this subject 
with respect to financial companies is Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA; 
P.L. 106-102), 1 which is discussed in a separate section of this report. The Fair Credit Reporting 
Act (FCRA), 15 U.S.C. Sections 1681 to 1681x, predates GLBA. It establishes standards for 
collection and permissible purposes for dissemination of data by consumer reporting agencies. It 
also gives consumers access to their files and the right to correct information therein. Another 
law, which predates GLBA, is the Electronic Funds Transfer Act, 15 U.S.C. Sections 1693a to 
1 693r, which describes the rights and liabilities of consumers using electronic funds transfer 
systems. These rights include the ability of consumers to have financial institutions identify the 
circumstances under which information concerning their accounts will be disclosed to third 
parties. 

With the passage of the Fair Credit Reporting Act Amendments of 1996, P.L. 104-208, Div. A, 

Tit. II, Subtitle d, Ch. 1, Section 2419, 110 Stat. 3009-452, adding 15 U.S.C. Section 1681t(b)(2), 
companies may share with other entities certain customer information respecting transactions and 
experience with a customer without any notification requirements. Other customer information, 
such as credit report or application information, may be shared with other companies in the 
corporate family if the customers are given “clear and conspicuous” notice about the sharing and 
an opportunity to direct that the information not be shared; that is, an “opt out.” 



1 P.L. 106-102, Tit. V, 113 Stat. 1338, 1436. 15 U.S.C. §§6801 - 6809. 



Congressional Research Service 



1 



Privacy Protection for Customer Financial Information 



Under Section 214 of P.L. 108-159, 117 Stat. 1952, the Fair and Accurate Credit Transactions Act 
of 2003 (FACT Act), subject to certain exceptions, affiliated companies may not share customer 
information for marketing solicitations unless the consumer is provided clear and conspicuous 
notification that the information may be exchanged for such purposes and an opportunity and a 
simple method to opt out. Among the exceptions are solicitations based on preexisting business 
relationships; based on current employer’s employee benefit plan; in response to a consumer’s 
request or authorization; and as required by state unfair discrimination in insurance laws. The 
2003 amendments also require the agencies to conduct regular joint studies of information 
sharing practices of affiliated companies and make reports to Congress every three years. 



Gramm-Leach-Bliley's Privacy Provisions 

Title V of GLBA (P.L. 106-102) 2 contains the privacy provisions enacted in conjunction with 
1 999 financial modernization legislation. These privacy provisions preempt state law except to 
the extent that the state law provides greater protection to consumers. 3 The Consumer Financial 
Protection Act of 2010, Title X of P.L. 111-203, the Dodd-Frank Wall Street Reform and 
Consumer Protection Act of 2010 (Dodd-Frank), 4 makes the newly created Consumer Financial 
Protection Bureau (CFPB), which is located within the Federal Reserve System, the major 
rulemaking and enforcement authority for federal consumer protection laws, including the GLBA 
privacy provisions. 5 As originally enacted, GLBA allocated rulemaking and enforcement 
authority to an array of federal and state financial regulators. 6 GLBA requires that federal 
regulators issue rules that call for financial institutions to establish standards to insure the security 
and confidentiality of customer records. 7 It prohibits financial institutions 8 from disclosing 



2 P.L. 106-102, Tit. V, 113 Stat. 1338, 1436. 15U.S.C. §§6801 -6809. 

3 The Consumer Financial Protection Bureau (CFPB) is to make the detemiination as to whether or not a state law is 
preempted. Originally, GLBA delegated this authority to the FTC (in conjunction with the other federal regulators), 
Section 1041(a)(2) of P.L. 1 11-203, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, 124 
Stat. 1376, 2011, delegated this authority to the CFPB exclusively. 12 U.S.C. §5551(a)(2). 

4 P.L. 111-203, 124 Stat. 1376, 1955. 

5 P.L. 111-203, §1022, 124 Stat. 1376, 1980, 12 U.S.C. §5512. 

6 GLBA delegated authority to the federal banking regulators: the Office of the Comptroller of the Currency (national 
banks); the Office of Thrift Supervision (federal savings associations and state-chartered savings associations insured 
by the Federal Deposit Insurance Corporation (FDIC)); the Board of Governors of the Federal Reserve System (state- 
chartered banks which are members of the Federal Reserve System); FDIC (state-chartered banks which are not 
members of the Federal Reserve System, but which have FDIC deposit insurance); and the National Credit Union 
Administration (federal and federally insured credit unions). Also included is the Securities and Exchange Commission 
(brokers and dealers, investment companies, and investment advisors). 15 U.S.C. §6805(a) (l)-(5). For insurance 
companies, state insurance regulators are authorized to issue regulations implementing the GLBA privacy provisions. 
15 U.S.C. §6805(a)(6). For all other “financial institutions,” the Federal Trade Commission was provided authority to 
issue rules implementing the privacy provisions of GLBA. 15 U.S.C. §6805(a)(7). 

7 Interagency Guidelines Establishing Standards for Customer Information were published by the federal banking 
regulators on February 1, 2001 (66 Federal Register 8616). Under Section 1093 of P.L. 1 1 1-203, the Dodd-Frank Wall 
Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), 224 Stat. 1376, 2095, amending 15 U.S.C. 
§6804(a), the CFPB does not have authority to prescribe regulations with regard to safeguarding the security and 
confidentiality of customer records. 

8 GLBA covers “financial institutions” within the meaning of the Bank Holding Company Act (BHCA). Controversies 
have arisen because businesses involved in activities that are not necessarily performed in traditional financial 
institutions may meet this definition. New York State Bar Association v. FTC, 276 F. Supp. 2d 1 10 (D.D.C. 2003), held 
that attorneys are not covered. Section 609 of P.L. 109-351 makes it clear that certified public accountants subject to 
confidentiality requirements are also excluded. 



Congressional Research Service 



2 



